Aliases: W32.Gavgent
Variants: Robknot.C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 20 Jul 2005
Damage: Medium

Characteristics: W32.Gavgent.A is a visible and easy to detect worm since the compromised computer becomes inoperable because this worm frequently restarts it. It is also a network aware worm that spreads on network and local drives. It also exploits and opens Microsoft Paint in an attempt to hide its presence. Tracks are then hidden to most antivirus programs. It also adds a task to scheduler. This commands the worm to run 19:00 every day. All platforms of windows are vulnerable to this worm, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP.

More details about W32.Gavgent.A

Technically, this worm spreads by copying itself with the hidden and system attributes. Sometimes, it changes the boot sector and this could result in the inability of the computer to run. The files consist of CVT32.pif, At1.job, winword.sys, ntsvc.exe and INDONESIA-RAYA-INDONESIA-MERDEKA-17-AGUSTUS-1945.INF files which are mostly seen at windows directory or system folders. It also automatically updates itself from a website http://merdeka.t35.com/[REMOVED]MasterVaganza.doc. Security related system or processes are also halted by this worm such as NORTON, AVG, CILLIN, PANDA, NAV, MCAF, SCAN, VIRUS, PERSKY, VAKSIN, REGISTRY, TASK, JAVA, CONFIGURATION, COMMAND,CMD, CONTROL, SEARCH, BAT, INI and SYS. It also exploits email messaging system by gathering email addresses from the Windows Address Book and or Outlook. Then, it may send an email contact to a remote website http://merdeka.t35.com/[REMOVED]VagMail.php.

As such, this worm steals private information on the compromised computer. This information may lead to the hands of the black market. Confidential email messages and or usernames and passwords can also be sold or make use of in the internet. Furthermore, users should be wary that files malicious downloaded from an untrusted site should always be quarantined or check before execution. Removing this virus from your system must be taken seriously for any wrong deletion may result into further damaging your computer. As such you need to browse for Windows system directories because these are the directories this worm usually infiltrates. There may also be several copies of this virus in different locations. Thus, the user may need to perform the standard manual removal process to clean the computer from this worm and from its traces.